Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Introduction to Modern CryptographySharif University Spring 2015

Data and Network Security LabSharif University of TechnologyDepartment of Computer Engineering

A Primer on Modern Cryptography (1)

Author: Ahmad BoorghanyInstructor: Dr. Rasool Jalili

1 / 38


Definition of Modern Cryptography Evolution from Classic to Modern Cryptography Principles of Modern Cryptography

Exact Definitions Precise Assumptions Rigorous Proofs of Security

An Introduction to Theory of Complexity Course Topics

Outline

2 / 38


Modern Cryptography

and its relation to classic cryptography

3 / 38


Concise Oxford Dictionary (2006): Cryptography is the art of writing or solving codes.

Classically, cryptography Focused solely on secret communication Seen as an art, relied on creativity and personal skill Used only by military and intelligence

Classic Cryptography

4 / 38


In the late 20th century, cryptography deals with message authentication, digital signatures, protocols for

exchanging secret keys, authentication protocols, electronic auctions and elections, digital cash, and more.

Nowadays, cryptography is almost everywhere: ATM machines Online banking All HTTPS websites Remote login and file transfer (SSH, …) Mobile communications (GSM, …) Wireless networking (Wi-Fi, WiMAX, …)

Modern Cryptography

5 / 38


An encrypted web communication (HTTPS)

Cryptography is Everywhere!

6 / 38


11,748 Android apps use cryptography (encryption),however, 10,327 (88%) get it wrong [EBFK13]

Cryptography is Everywhere! (cont.)

7 / 38


Katz and Lindell [KL08]: (Modern) Cryptography is the scientific study of techniques for

securing digital information, transactions, and distributed computations.

Definition of Modern Cryptography

Image courtesy of Amazon

8 / 38

http://www.amazon.com/Introduction-Modern-Cryptography-Principles-Protocols/dp/1584885513


Example: An encryption scheme

Our concerns: How to define security goals? How to design and ? How to gain confidence that achieve our goal?

Cryptography Concerns

Image courtesy of Microsoft

9 / 38

http://msdn.microsoft.com/en-us/library/ff650720.aspx


How does computer/system protect from break-in (viruses, vulnerabilities, …)?

Not our concern in this class.

How do we use to ensure security of communication over an insecure network?

That’s our business.

Cryptography Concerns (cont.)

Image courtesy of Microsoft

10 / 38

http://msdn.microsoft.com/en-us/library/ff650720.aspx


Classic Ciphers

11 / 38

What is its key length?However, not very secure!


Enigma: German World War II machine

Broken by British in an effortled by Turing

Classic Ciphers (cont.)

Images courtesy of Wikipedia and Louise Dade

12 / 38

http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

http://enigma.louisedade.co.uk/howitworks.html


One-time-pad (OTP) Encryption

13 / 38

Proven by Shannon


Principles of Modern Cryptography

14 / 38


Security of a “practical” system must rely not on the impossibility but on the computational difficulty of breaking the system.

“Practical” = more message bits than key bits

Rather than:“It is impossible to break the scheme”

We might be able to say:“Attacks can exist as long as cost to mount them is prohibitive”

Modern Cryptography: A Computational Science

Image courtesy of mynextbrain.com

15 / 38

http://mynextbrain.com/blog/?p=42


A sample security proposition: Cannot be broken with probability better than 10−30 in 200 years,

using the fastest available supercomputer.

Cryptography is now not just mathematics;it needs to draw on computer science:

(Computational) Complexity Theory Design of Algorithms

Modern Cryptography: A Computational Science (cont.)

Image courtesy of snookerbacker.com

16 / 38

http://www.snookerbacker.com/2014/09/01/slow-play-is-it-time-to-stamp-out-the-snails/


Two approaches to define security goals:

No attack using ≤ 2160 time succeedswith probability ≥ 2−20

Concrete/Exact Security or -Security

Any efficient adversary succeeds with onlya negligible probability Asymptotic Security

“Efficient” = Probabilistic Polynomial Time (next sess.) “Negligible” = Easily (!) defined by a number of quantifiers

Concrete vs. Asymptotic Security

17 / 38


Auguste Kerckhoffs in the late 19th century: The cipher method must not be required to

be secret, and it must be able to fall intothe hands of the enemy withoutinconvenience.

Why? Easier to maintain secrecy of a short key rather than an algorithm

Algorithm parts may be leaked: insider or reverse eng. Key revocation/reissue is easier than algorithm revocation/reissue! Different people communication: different keys or different

algorithms?

Kerckhoffs’ principle

Image courtesy of Wikipedia

18 / 38

http://en.wikipedia.org/wiki/Auguste_Kerckhoffs


Why exact definitions for security? Importance for design- To know what to design- Not to provide more than what needed: efficiency- (different definitions with different security levels are usually

proposed for any crypto concept) Importance for usage- Application designers match their requirement with what a scheme

provide- More precise application verification- Not to use the most secure scheme if not needed: efficiency

Importance for study- Comparing different schemes- More precise efficiency/security trade-off

Needed for security proofs (later)

Modern Crypto Principles: Exact Definitions

19 / 38


Most modern cryptographic constructions cannot be proven secure unconditionally.

Thus, rely on some assumptions: Hardness of mathematical problems Hardness of cryptographic primitives

Why precise assumptions? Validation of the assumption- Reliable assumptions should be examined and tested a lot without

being successfully refuted.- The hardness of an assumption may be implied by another widely-

believed hard assumption.- Both above need precise assumptions.

Modern Crypto Principles: Precise Assumptions

20 / 38


Why precise assumptions? Comparison of schemes- Scheme A relies on assumption X- Scheme B relies on assumption Y- (Stronger) assumption X implies (weaker) assumption Y- Scheme B is better

X may become invalid while Y still holds, but not vice versa.- If X and Y incomparable:

(Usually) more-studied/simpler assumption is better. Needed for security proofs (later)

Modern Crypto Principles: Precise Assumptions (cont.)

21 / 38


Why a security proof? Countless examples of unproven schemes that were broken- Sometimes immediately- Sometimes years after being presented or deployed

Security testing is different than software testing- Cannot anticipate an adversary strategy

Experience shown that intuition here is disastrous.

Modern Crypto Principles: Rigorous Proofs of Security

22 / 38


Reductionist Approach: Assumption X reduced to scheme A

Interpretations: If an adversary breaks the scheme A, it must have found a fast

algorithm for X. The only way to break A is to solve X efficiently.

Two sub-approaches: Asymptotic: The reduction is itself polynomial-time. Concrete: is not much different than .

Modern Crypto Principles: Rigorous Proofs of Security (cont.)

Image courtesy of derf.net

23 / 38

http://www.derf.net/knapsack/


Integer Factorization is hard (after exact formulation)

If an scheme is provably-secure assuming hardness of factorization:

Bug in the scheme implies- attacker has found a way to factor fast- attacker is smarter than Gauss- and smarter than all living mathematicians

Example Assumptions: Mathematical Problem

24 / 38


Block cipher primitives: DES, AES, ...Hash functions: MD5, SHA1, SHA2, ...

Features: Few such primitives Bugs rare Design an art, confidence by history.

Drawback: Don’t directly solve any security problem.

Example Assumptions: Crypto Primitives

25 / 38


Goal: Solve security problem of direct interest.Examples: encryption, authentication, digital signatures, keydistribution, ...

Features: Lots of them Bugs common in practice

History shows that building schemes from primitives is usually the weak link:

AES or SHA-2 secure, yet Higher level scheme insecure

Example Assumptions: Crypto Primitives (cont.)

26 / 38


Theory of Complexity

An Introduction

27 / 38


Computation in cryptography is done by algorithms.

But, what is an algorithm? Wikipedia: a step-by-step procedure for calculations. Oxford dictionary: a process or set of rules to be followed in

calculations or other problem-solving operations, especially by a computer.

We need a precise definition for algorithm/computation.

Formal definition:An algorithm = A Turing machine

Computation Model

28 / 38


What is a Turing machine? Semantics:

An automata with access to an infinite tape. Initially, the input on the tape. Upon halting (if any), tape content is the output.

Turing Machines

Image courtesy of its designer

29 / 38


What is a Turing machine?

Syntax: is a 5-tuple, where

is a finite, non-empty set of states

is the set of symbols

is the initial state

is the set of final or accepting states

is a transition function, where L is left shift, R is right shift, and is

no move.

Turing Machines (cont.)

30 / 38


Time complexity of : Maximum number of transitions for all inputs of length . Some ’s may not be in the domain. Why?

Space complexity of : Maximum number of (scratch) memory cells used for all inputs of

length .

FACT: A today’s super-computer can be simulated by a Turing machine.

The notion of computability is fixed, regardless of the model of computation.

Turing Machines (cont.)

Some text from Wikipedia

31 / 38

http://en.wikipedia.org/wiki/Church%E2%80%93Turing_thesis


Course Topics(tentative)

32 / 38


Preliminaries (1 sess.) Some fundamental concepts from complexity theory Deeper look on security definition and model Games as a useful tool for security definition and proof

Primitives (1 sess.) Mathematical notions for crypto primitives, e.g., one-way functions

(OWF) and trapdoor permutations (TDP)

Pseudo-randomness (1 sess.) The notions of randomness and pseudo-randomness Mathematical notions to capture pseudo-random primitives, e.g.,

pseudo-random generators (PRNG) and pseudo-random functions (PRF)

Course Topics

33 / 38


Simple cryptographic proofs (1 sess.) Constructing and proving secure primitives, e.g., PRFs from PRGs Samples of security definitions, attack models, and security proofs.

Symmetric encryption (2 sess.) Minimal full-fledged security definition for encryption (CPA) Simple encryption scheme built upon PRFs Provably-secure operation modes Stronger notions of security for symmetric encryption (CCA).

Course Topics (cont.)

34 / 38


Hash functions and message authentication codes (2 sess.) Universal and collision-resistant hash function (CRHF) Provably-secure message authentication codes Provably-secure hash functions from other primitives, such as block

ciphers. Secure MACs using PRFs, CRHFs, and block ciphers.

Asymmetric (public-key) encryption (3 sess.) Different definitions for different levels of security for a public-key

encryption scheme (CPA, CCA, CCA2, etc.) Constructions: RSA, El-Gamal, GM, etc.


35 / 38


Mathematics of public-key cryptography (2 sess.) Quick review on mathematical backgrounds, i.e., group theory,

factoring, discrete logarithm problems, elliptic curves, etc.

Applied provably-secure schemes (1 sess.) Applications of provably-secure schemes Authenticated encryption schemes and hybrid encryption


36 / 38


Other topics Digital signature schemes (2 sess.) Simulation-based security definitions (3 sess.) Random oracle model (2 sess.) Identification and key distribution (3 sess.) Two-party and multi-party computation (3 sess.) Quantum and post-quantum cryptography (1 sess.) Review of other not-covered topics (1 sess.)


37 / 38


Questions?

38 / 38


[KL08] Katz, Jonathan, and Yehuda Lindell. Introduction to modern cryptography: principles and protocols. CRC Press,

2007.[EBFK13] Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. "An empirical study of cryptographic misuse in Android applications." In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013.

References

39 / 38

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Documents

cryptography encryption

cryptography deals

wrong ebfk13 cryptography

shannon slide

turing classic ciphers

authentication protocols

images courtesy of wikipedia

digital signatures